Fix two bugs in regidx.c: OOB array access and double-free

sirus20x6 · pd3 · commit a49df0c463cb · 2026-03-31T19:25:46.000+02:00
1. regidx_overlap: cap iend to nidx-1 instead of nidx, preventing
   an out-of-bounds read of list-&gt;idx[nidx] in the i&lt;=iend loop.

2. regidx_init: set str.s = NULL after freeing it so the error
   path does not double-free when hts_close() fails.
diff --git a/regidx.c b/regidx.c
@@ -289,6 +289,7 @@ regidx_t *regidx_init(const char *fname, regidx_parse_f parser, regidx_free_f fr
     }
 
     free(str.s);
+    str.s = NULL;
     if ( hts_close(fp)!=0 )
     {
         fprintf(stderr,"[%s] Error: close failed .. %s\n", __func__,fname);
@@ -441,7 +442,7 @@ int regidx_overlap(regidx_t *regidx, const char *chr, uint32_t beg, uint32_t end
         if ( !i )
         {
             int iend = iBIN(end);
-            if ( iend > list->nidx ) iend = list->nidx;
+            if ( iend >= list->nidx ) iend = list->nidx - 1;
             for (i=ibeg; i<=iend; i++)
                 if ( list->idx[i] ) break;
             if ( i>iend ) return 0;

Original file line number	Diff line number	Diff line change
`@@ -289,6 +289,7 @@ regidx_t regidx_init(const char fname, regidx_parse_f parser, regidx_free_f fr`
`289`	`289`	`}`
`290`	`290`
`291`	`291`	`free(str.s);`
	`292`	`+ str.s = NULL;`
`292`	`293`	`if ( hts_close(fp)!=0 )`
`293`	`294`	`{`
`294`	`295`	`fprintf(stderr,"[%s] Error: close failed .. %s\n", __func__,fname);`
`@@ -441,7 +442,7 @@ int regidx_overlap(regidx_t regidx, const char chr, uint32_t beg, uint32_t end`
`441`	`442`	`if ( !i )`
`442`	`443`	`{`
`443`	`444`	`int iend = iBIN(end);`
`444`		`- if ( iend > list->nidx ) iend = list->nidx;`
	`445`	`+ if ( iend >= list->nidx ) iend = list->nidx - 1;`
`445`	`446`	`for (i=ibeg; i<=iend; i++)`
`446`	`447`	`if ( list->idx[i] ) break;`
`447`	`448`	`if ( i>iend ) return 0;`